Cisco PIX Firewall System Log Messages, Version 6.3
Introduction
Downloads: This chapterpdf (PDF - 360.0KB) The complete bookPDF (PDF - 1.7MB) | Feedback

Introduction

Table Of Contents

Introduction

New and Deleted Messages

EMBLEM Format Option in Version 6.3.1

New and Deleted Messages in Version 6.3.1

New Messages in Version 6.3.1

Deleted Messages in Version 6.3.1

New and Changed Messages in Version 6.3.2

New Messages in Version 6.3.2

Changed Messages in Version 6.3.2

Logging Command Overview

Enabling Logging

Testing the Logging Output

Setting the Syslog Output Location

Sending Syslog Messages to the Buffer

Sending Syslog Messages to a Telnet Console Session

Sending Syslog Messages to a Syslog Server

Sending Syslog Messages to an SNMP Management Station

Receiving SNMP Requests

Sending SNMP Traps

Disabling and Enabling Specific Syslog Messages

Disabling Specific Syslog Messages

Viewing a List of Disabled Syslog Messages

Reenabling Specific Disabled Syslog Messages

Reenabling All Disabled Syslog Messages

Understanding Log Messages

Log Message Format

Severity Levels

Variables

Other Remote Management and Monitoring Tools

Cisco PIX Device Manager

Cisco Secure Policy Manager

SNMP Traps

Telnet


Introduction


This chapter lists new and deleted messages in recent versions of the PIX Firewall software. It also describes how to view and manage syslog messages, how to understand the messages, and which other remote management and monitoring tools are available.


Note Not all system log messages represent error conditions. Some messages simply report normal events.


This chapter includes the following sections:

New and Deleted Messages

Logging Command Overview

Enabling Logging

Setting the Syslog Output Location

Disabling and Enabling Specific Syslog Messages

Understanding Log Messages

Other Remote Management and Monitoring Tools

New and Deleted Messages

This section lists new and deleted messages for each software release:

EMBLEM Format Option in Version 6.3.1

New and Deleted Messages in Version 6.3.1

New and Changed Messages in Version 6.3.2

EMBLEM Format Option in Version 6.3.1

This feature enables you to log messages to a syslog server in Cisco EMBLEM format. EMBLEM syslog format is designed to be consistent with the Cisco IOS format and is more compatible with CiscoWorks management applications.

Example:

[no] logging host [in_if_name] ip_address [protocol/port] [format emblem]

UDP only—EMBLEM format logging is available for UDP syslog messages only (because the RME syslog analyzer only supports UDP syslog messages). If you use the option with TCP/port# an error is generated. If EMBLEM format logging is enabled for a particular syslog host, then EMBLEM format messages are sent to that host.

logging host—The logging host ip_address format emblem command enables EMBLEM format logging on a per-syslog-server basis.

timestamp—The EMBLEM format is available for both messages with and without timestamp. If the logging timestamp option is also enabled, then EMBLEM format messages with a time stamp are sent.

device-id—The logging device-id command displays a unique device ID in non-EMBLEM format syslog messages that are sent to the syslog server. This command is available in PIX Firewall software Version 6.2.2.115 and higher. If enabled, the PIX Firewall displays the device ID in all non-EMBLEM-formatted syslog messages. However, it does not affect the syslog message text that is in EMBLEM format.

New and Deleted Messages in Version 6.3.1

The following sections list messages that were added or deleted in Version 6.3.1:

New Messages in Version 6.3.1

Deleted Messages in Version 6.3.1

New Messages in Version 6.3.1

The following messages were added in Version 6.3.1.

%PIX-n-106100: access-list acl_ID {permitted | denied | est-allowed} protocol interface_name/source_address(source_port) -> interface_name/dest_address(dest_port) hit-cnt number ({first hit | number-second interval})

%PIX-1-106101 The number of ACL log deny-flows has reached limit (number).

%PIX-7-109021: Uauth null proxy error

%PIX-4-109022: exceeded HTTPS proxy process limit

%PIX-2-215001:Bad route_compress() call, sdb= number

%PIX-3-302019: H.323 library_name ASN Library failed to initialize, error code number

%PIX-3-317001: No memory available for limit_slow

%PIX-3-317002: Bad path index of number for IP_address, number max

%PIX-3-317003: IP routing table creation failure - reason

%PIX-3-317004: IP routing table limit warning

%PIX-3-317005: IP routing table limit exceeded - reason, IP_address netmask

%PIX-3-318001: Internal error: reason

%PIX-3-318002: Flagged as being an ABR without a backbone area

%PIX-3-318003: Reached unknown state in neighbor state machine

%PIX-3-318004: area string lsid IP_address mask netmask adv IP_address type number

%PIX-3-318005: lsid IP_address adv IP_address type number gateway gateway_address metric number network IP_address mask netmask protocol hex attr hex net-metric number

%PIX-3-318006: if interface_name if_state number

%PIX-3-318007: OSPF is enabled on interface_name during idb initialization

%PIX-3-318008: OSPF process number is changing router-id. Reconfigure virtual link neighbors with our new router-id

%PIX-3-320001: The subject name of the peer cert is not allowed for connection

%PIX-4-405001: Received ARP {request | response} collision from IP_address/mac_address on interface interface_name

%PIX-4-405002: Received mac mismatch collision from IP_address/mac_address for authenticated host

%PIX-4-408001: IP route counter negative - reason, IP_address Attempt: number

%PIX-4-409001: Database scanner: external LSA IP_address netmask is lost, reinstalls

%PIX-4-409002: db_free: external LSA IP_address netmask

%PIX-4-409003: Received invalid packet: reason from IP_address, interface_name

%PIX-4-409004: Received reason from unknown neighbor IP_address

%PIX-4-409005: Invalid length number in OSPF packet from IP_address (ID IP_address), interface_name

%PIX-4-409006: Invalid lsa: reason Type number, LSID IP_address from IP_address, IP_address, interface_name

%PIX-4-409007: Found LSA with the same host bit set but using different mask LSA ID IP_address netmask New: Destination IP_address netmask

%PIX-4-409008: Found generating default LSA with non-zero mask LSA type : number Mask: IP_address metric : number area : string

%PIX-4-409009: OSPF process number cannot start. There must be at least one up IP interface, for OSPF to use as router ID

%PIX-4-409010: Virtual link information found in non-backbone area: string

%PIX-4-409011: OSPF detected duplicate router-id IP_address from IP_address on interface interface_name

%PIX-4-409012: Detected router with duplicate router ID IP_address in area string

%PIX-4-409013: Detected router with duplicate router ID IP_address in Type-4 LSA advertised by IP_address

%PIX-4-410001: UDP DNS packet dropped due to domainname length check of 255 bytes: actual length:<n> bytes

%PIX-5-503001: Process number, Nbr IP_address on interface_name from string to string, reason

%PIX-5-611104: Serial console idle timeout exceeded

%PIX-6-605004: Login denied from {source_address/source_port | serial} to {interface_name:dest_address/service | console} for user "user"

%PIX-6-605005: Login permitted from {source_address/source_port | serial} to {interface_name:dest_address/service | console} for user "user"

%PIX-6-611312: VPNClient: Backup Server List: reason

%PIX-3-611313: VPNClient: Backup Server List Error: reason

%PIX-6-611314: VPNClient: Load Balancing Cluster with Virtual IP: IP_address has redirected the PIX to server IP_address

%PIX-6-611315: VPNClient: Disconnecting from Load Balancing Cluster member IP_address

%PIX-6-611316: VPNClient: Secure Unit Authentication Enabled

%PIX-6-611317: VPNClient: Secure Unit Authentication Disabled

%PIX-6-611318: VPNClient: User Authentication Enabled: Auth Server IP: IP_address Auth Server Port: port Idle Timeout: time

%PIX-6-611319: VPNClient: User Authentication Disabled

%PIX-6-611320: VPNClient: Device Pass Thru Enabled

%PIX-6-611321: VPNClient: Device Pass Thru Disabled

%PIX-6-611322: VPNClient: Extended XAUTH conversation initiated when SUA disabled

%PIX-6-611323: VPNClient: Duplicate split nw entry

%PIX-6-613001: Checksum Failure in database in area string Link State Id IP_address Old Checksum number New Checksum number

%PIX-6-613002: interface interface_name has zero bandwidth

%PIX-6-613003: IP_address netmask changed from area string to area string

%PIX-6-620001: Pre-allocate CTIQBE {RTP | RTCP} secondary channel for interface_name:outside_address[/outside_port] to interface_name:inside_address[/inside_port] from CTIQBE_message_name message

%PIX-4-620002: Unsupported CTIQBE version: hex: from interface_name:IP_address/port to interface_name:IP_address/port

%PIX-7-703001: H.225 message received from interface_name:ip_address/port to interface_name:ip_address/port is using an unsupported version number

%PIX-7-703002: Received H.225 Release Complete with newConnectionNeeded for interface_name:ip_address to interface_name:ip_address/port

%PIX-7-710001: TCP access requested from source_address/source_port to interface_name:dest_address/service

%PIX-7-710002: {TCP|UDP} access permitted from source_address/source_port to interface_name:dest_address/service

%PIX-3-710003: {TCP|UDP} access denied by ACL from source_address/source_port to interface_name:dest_address/service

%PIX-4-710004: TCP connection limit exceeded from source_address/source_port to interface_name:dest_address/service

%PIX-7-710005: {TCP|UDP} request discarded from source_address/source_port to interface_name:dest_address/service

%PIX-7-710006: protocol request discarded from source_address to interface_name:dest_address

Deleted Messages in Version 6.3.1

Table 1-1 lists messages that were deleted from Version 6.3.1:

Table 1-1 Deleted Messages from Version 6.3.1 

Message
Reason Deleted
%PIX-5-111006: Console Login from user at IP_addr

Replaced by message number 605005

%PIX-6-307001: Denied Telnet login session from 
IP_addr on interface int_name

Replaced by message number 710003

%PIX-6-307002: Permitted Telnet login session from 
IP_addr

Replaced by message number 605005

%PIX-6-307003: telnet login session failed from 
IP_addr (num attempts) on interface int_name

Replaced by message number 605004

%PIX-4-307004: Telnet session limit exceeded. 
Connection request from IP_addr on interface int_name

Replaced by message number 710004

%PIX-3-309001: Denied manager connection from 
IP_addr.

Replaced by message number 710003

%PIX-4-309004: Manager session limit exceeded. 
Connection request from IP_addr on interface int_name

Replaced by message number 710004

%PIX-3-315001: Denied SSH session from IP_addr on 
interface int_name

Replaced by message number 710003

%PIX-6-315002: Permitted SSH session from IP_addr on 
interface int_name for user user_id

Replaced by message number 605005

%PIX-6-315003: SSH login session failed from IP_addr 
on (num attempts) on interface int_name by user 
user_id

Replaced by message number 605004

%PIX-4-315005: SSH session limit exceeded. Connection 
request from IP_addr on interface int_name

Replaced by message number 710004

%PIX-6-605001: HTTP daemon interface interface_name: 
connection denied from IP_address

Replaced by message number 710003

%PIX-6-605002: HTTP daemon connection limit exceeded

Replaced by message number 710004

%PIX-6-605003: HTTP daemon: Login failed from 
IP_address for user user

Replaced by message number 605004


New and Changed Messages in Version 6.3.2

The following sections list messages that were added or deleted in Version 6.3.2:

New Messages in Version 6.3.2

Changed Messages in Version 6.3.2

New Messages in Version 6.3.2

The following messages were added in Version 6.3.2:

%PIX-4-411001:Line protocol on interface interface_name changed state to up

%PIX-4-411002:Line protocol on interface interface_name changed state to down

Changed Messages in Version 6.3.2

The following messages were changed in Version 6.3.2:

%PIX-3-305009: Teardown <type> translation from <interface>:<address> to <interface>[<acl>]:<address> duration <HH:MM:SS>

%PIX-6-305010: Teardown {dynamic|static} translation from interface_name [(<acl-name>)]:real_address to interface_name:mapped_address duration time

%PIX-6-305011: Built {dynamic|static} {TCP|UDP|ICMP} translation from interface_name [(<acl-name>)]:real_address/real_port to interface_name:mapped_address/mapped_port

%PIX-6-305012: Teardown {dynamic|static} {TCP|UDP|ICMP} translation from interface_name [(<acl-name>)]:real_address/{real_port|real_ICMP_ID}to interface_name:mapped_address/{mapped_port|mapped_ICMP_ID} duration time

Logging Command Overview

Table 1-2 lists the PIX Firewall logging commands that you can use to configure and manage logging. See the Cisco PIX Firewall Command Reference for detailed descriptions and additional logging commands. To use the logging command, access the configuration mode on the PIX Firewall by entering the configure terminal command.

Many of the logging commands require that you specify a severity level threshold to indicate which syslog messages can be sent to the output locations. The lower the level number, the more severe the error. The default severity level is 3. Specify the severity level as either a number or a keyword as described in Table 1-3. The level you specify causes PIX Firewall to send messages of that level or lower to the output location; for example, if you specify severity level 3, PIX Firewall sends severity level 1, 2, and 3 messages to the output location.

PIX Firewall has a fixed number of blocks in memory that can be allocated for buffering syslog messages. The number of blocks required depends on the length of the message queue and the number of syslog hosts specified. If the available memory is exceeded, the following message appears:

Warning: failed to register nnn blocks for logging 

Where nnn is the number of 256-byte blocks that could not be allocated. To resolve this problem, reduce the number of buffered messages using the logging queue command or reduce the number of syslog hosts specified.

Some commands support the format emblem option. EMBLEM syslog format is designed to be consistent with the Cisco IOS format and is more compatible with CiscoWorks management applications.


Note Syslog does not generate level 0 emergency messages. This level is provided in the logging command for compatibility with the UNIX syslog feature, but is not used by PIX Firewall.


Table 1-2 PIX Firewall Logging Commands 

Type
Command
Description

Enabling Logging

logging on

Enables transmission of syslog messages to all output locations. You can disable sending syslog messages with the no logging on command.

You must also set a logging output location to see any logs.

show logging

Lists the current syslog messages and which logging command options are enabled.

Setting the Message Level or Disabling Messages

logging message message_number level severity_level

Sets the severity level of a specific syslog message. Use the no logging message message_number level severity_level command to use the default level.

no logging message message_number

Disables specific syslog messages. Use the logging message message_number command to resume logging of specific disabled messages.

show logging disabled

Displays a complete list of disabled syslog messages.

clear logging disabled

Reenables all disabled syslog messages.

Specifying and Managing Output Locations

logging buffered severity_level

Stores syslog messages in the PIX Firewall so you can view them with the show logging command.

clear logging

Clears the message buffer created with the logging buffered command.

logging console severity_level

Enables syslog messages to display on the PIX Firewall console as they occur.

Set the severity_level from 1 to 7. You can also enter the level name. See Table 1-3 for more information.

Use this command when you are debugging problems or when there is minimal load on the network. Do not use this command when the network is busy, as it can reduce PIX Firewall performance.

logging monitor severity_level

Enables syslog messages to display as they occur when accessing the PIX Firewall console with Telnet.

Set the severity_level from 1 to 7. You can also enter the level name. See Table 1-3 for more information.

You must also enter the terminal monitor command to enable logging for each Telnet session.

logging trap severity_level

Enables syslog messages to be sent to a syslog server (see the logging host command to identify the server).

Set the severity_level from 1 to 7. You can also enter the level name. See Table 1-3 for more information.

logging host [interface_name] ip_address [tcp[/port] | udp[/port]] [format emblem]

Specifies a host that receives the syslog messages (a syslog server). The PIX Firewall can send messages across UDP or TCP. The default protocol and port are UDP/514. The default TCP port (if specified) is 1468. The format emblem option enables EMBLEM formatting (UDP only).

logging facility number

Sets the logging facility for a syslog server. The default is 20.

logging history severity_level

Enables syslog messages for SNMP .

Set the severity_level from 1 to 7. You can also enter the level name. See Table 1-3 for more information.

Logging Options

logging device-id {hostname | ipaddress if_name | string text}

If enabled, the PIX Firewall displays the device ID in all syslog messages sent to a syslog server. The device ID does not appear in EMBLEM-formatted messages, SNMP traps, or on the firewall console, management session, or buffer. If you use the ipaddress option, the device ID becomes the specified PIX Firewall interface IP address, regardless of the interface from which the message is sent. This option provides a single consistent device ID for all messages sent from the device.

logging queue msg_count

Specifies the number of syslog messages that can appear in the message queue while awaiting processing. The default is 512 messages; set to 0 (zero) to specify unlimited messages. Use the show logging queue command to view queue statistics.


Enabling Logging

To enable logging, follow these steps. These steps enable logging; however, you must also set an output location to view the log messages. See the "Setting the Syslog Output Location" section for more information.


Step 1 To enable logging, enter:

logging on

By default, the logging level is set to 3 (error).

Step 2 To change the logging level, enter:

logging trap severity_level (1-7)

Step 3 To view your logging settings, enter:

show logging


Testing the Logging Output

To test the logging output, follow these steps:


Step 1 To initiate a log message to be sent to the console, enter:

logging console 7
quit

This test generates the following syslog message:

111005: nobody End configuration: OK

This message states that you exited configuration mode. "111005" is the message identifier number (see "System Log Messages," for more information about this message). The term "nobody" indicates you are accessing the PIX Firewall console from the serial console port.

Step 2 To disable logging to the console, enter:

no logging console 7
quit


You should only use the logging console command for testing. When the PIX Firewall is in production, only use the logging buffered command to store messages, the show logging command to view messages, and the clear logging command to clear the messages displayed by the logging buffered command.

Setting the Syslog Output Location

This section includes the following topics:

Sending Syslog Messages to the Buffer

Sending Syslog Messages to a Telnet Console Session

Sending Syslog Messages to a Syslog Server

Sending Syslog Messages to an SNMP Management Station

You can configure the PIX Firewall system software to send syslog messages to the output location of your choice. The PIX Firewall provides several output locations for sending syslog messages:

The console

We recommend sending syslog messages directly to the console only during testing. See the "Testing the Logging Output" section.

The buffer

A Telnet connection

A host running a syslog server

An SNMP management station.


Note You can also view syslog messages using the Monitoring tab within the Cisco PIX Device Manager (PDM). Refer to the PDM online Help for additional information.


Sending Syslog Messages to the Buffer

Follow these steps to send syslog messages to the logging buffer, and then view the buffer on the PIX Firewall console:


Step 1 To store messages for display, enter the following command:

logging buffered severity_level (1-7)

Step 2 To view the messages on the console, enter the following command:

show logging

Step 3 To clear the buffer so that viewing new messages is easier, enter:

clear logging

Step 4 To disable message logging, enter:

no logging buffered

New messages append to the end of the listing.


Sending Syslog Messages to a Telnet Console Session

Follow these steps to view syslog messages in a Telnet console session:


Step 1 If you have not done so already, configure the PIX Firewall to let a host on the inside interface access the PIX Firewall.

a. Enter:

telnet ip_address [subnet_mask] [if_name]

For example, if a host has the IP address 192.168.1.2, the command is:

telnet 192.168.1.2 255.255.255.255

b. You should also set the duration that a Telnet session can be idle before PIX Firewall disconnects the session to a value greater than the default of 5 minutes. A good value is at least 15 minutes, which you can set as follows:

telnet timeout 15

Step 2 Start Telnet on your host and specify the inside interface of the PIX Firewall.

When Telnet connects, the PIX Firewall prompts you with PIX passwd:.

Step 3 Enter the Telnet password, which is cisco by default.

Step 4 To enable configuration mode, enter:

enable
(Enter your password at the prompt)
configure terminal

Step 5 To start message logging, enter:

logging monitor severity_level (1-7)

Step 6 To send logs to this Telnet session, enter:

terminal monitor

This command enables logging only for the current Telnet session. The logging monitor command sets the logging preferences for all Telnet sessions, while the terminal monitor (and terminal no monitor) commands control logging for each individual Telnet session.

Step 7 Trigger some events by pinging a host or starting a web browser. The syslog messages then appear in the Telnet session window.

Step 8 When done, disable this feature with the following commands:

terminal no monitor
no logging monitor


Sending Syslog Messages to a Syslog Server

If you send messages to a host, they are sent using either UDP or TCP. The host must run a program (known as a server) called syslogd. UNIX provides a syslog server as part of its operating system. For Windows 95 or Windows 98, obtain a syslog server from another vendor.

See the Cisco PIX Firewall and VPN Configuration Guide for the procedure to configure syslogd. On the logging server, you can specify actions to execute when certain types of messages are logged; for example, sending email, saving records to a log file, or displaying messages on a workstation.

Follow these steps to configure the firewall to send messages to a syslog server:


Step 1 To designate a host to receive the messages, enter:

logging host [interface] ip_address [tcp[/port] | udp[/port]] [format emblem]

For example:

logging host dmz1 192.168.1.5

You can enter this command multiple times to specify additional servers so that if one goes offline, another is available to receive messages.

Step 2 To set the logging level, enter:

logging trap severity_level (1-7)

We recommend that you use the debugging (7) level during initial setup and during testing. Thereafter, set the level from debugging to errors (3) for production use.

Step 3 If you want to include the device ID in each message, enter:

logging device-id {hostname | ipaddress if_name | string text}

The message includes the specified device ID (either the hostname, and IP address of the specified interface (even if the message comes from another interface), or a string) in messages sent to a syslog server. The device ID does not appear in EMBLEM-formatted messages, SNMP traps, or on the firewall console, management session, or buffer.

Step 4 If needed, set the logging facility to a value other than its default of 20. Most UNIX systems expect the messages to arrive at facility 20:

logging facility number


In the event that all syslog servers are offline, PIX Firewall stores up to 100 messages in its memory. Subsequent messages that arrive overwrite the buffer starting from the first line.

Sending Syslog Messages to an SNMP Management Station

To receive Syslog messages on an SNMP management station, complete the following procedures:

Receiving SNMP Requests

Sending SNMP Traps

Receiving SNMP Requests

Follow these steps for the PIX Firewall to receive requests from an SNMP management station:


Step 1 To set the IP address of the SNMP management station, enter:

snmp-server host [if_name] ip_addr

Step 2 Set other snmp server settings as required:

snmp-server location text
snmp-server contact text
snmp-server community key

See the Cisco PIX Firewall Command Reference for more information.


Sending SNMP Traps

Follow these steps to send log messages as traps from the PIX Firewall to an SNMP management station (cold start, link up, and link down generic traps are already enabled by the "Receiving SNMP Requests" procedure):


Step 1 Enter:

snmp-server enable traps

Step 2 To set the logging level, enter:

logging history severity_level (1-7)

We recommend that you use the debugging (7) level during initial setup and during testing. Thereafter, set the level from debugging to a lower value for production use.

Step 3 To disable sending syslog traps, enter:

no snmp-server enable traps


Disabling and Enabling Specific Syslog Messages

The following sections describe how to disable, reenable, or view disabled syslog messages:

Disabling Specific Syslog Messages

Viewing a List of Disabled Syslog Messages

Reenabling Specific Disabled Syslog Messages

Reenabling All Disabled Syslog Messages

Disabling Specific Syslog Messages

Enter the following command to disable specific syslog messages:

no logging message message_number

where message_number is the specific message you want to disable.


Note The following message cannot be disabled:
%PIX-6-199002: PIX startup completed. Beginning operation.


Viewing a List of Disabled Syslog Messages

To view a list of disabled syslog messages, enter the following command:

show logging disabled

Reenabling Specific Disabled Syslog Messages

To reenable disabled syslog messages, enter the following command:

logging message message_number

where message_number is the specific message you want to reenable.

Reenabling All Disabled Syslog Messages

To reenable all disabled syslog messages, enter the following command:

clear logging message

Understanding Log Messages

This section includes the following topics:

Log Message Format

Severity Levels

Variables

Log Message Format

System log messages begin with a percent sign (%) and are structured as follows:

%PIX-Level-Message_number: Message_text

See the following descriptions:

PIX

Identifies the message facility code for messages generated by the PIX Firewall. This value is always PIX.

Level

1-7. The level reflects the severity of the condition described by the message. The lower the number, the more severe the condition. See Table 1-3 for more information.

Message_number

A unique 6-digit number that identifies the message.

Message_text

A text string describing the condition. This portion of the message sometimes includes IP addresses, port numbers, or usernames. Table 1-4 lists the variable fields and the type of information in them.



Note Syslog messages received at the PIX Firewall serial console contain only the code portion of the message. When you view the message description in "System Log Messages," the description also provides the severity level.


Severity Levels

Table 1-3 lists the severity levels. Logging is set to level 3 (error) by default.


Note Syslog does not generate level 0 emergency messages. This level is provided in the logging command for compatibility with the UNIX syslog feature, but is not used by PIX Firewall.


Table 1-3 Log Message Severity Levels 

Level Number
Level Keyword
Description

0

emergency

System unusable.

1

alert

Immediate action needed.

2

critical

Critical condition.

3

error

Error condition.

4

warning

Warning condition.

5

notification

Normal but significant condition.

6

informational

Informational message only.

7

debugging

Appears during debugging only.


"Messages Listed by Severity Level" lists which messages occur at each severity level.

Variables

Log messages often contain variables. Table 1-4 lists most variables that are used in this guide to describe log messages. Some variables that appear in only one log message are not listed.

Table 1-4 Variable Fields in Syslog Messages 

Type
Variable
Type of Information

Misc.

acl_ID

An ACL name.

command

A command name.

command_modifier

The command_modifier is one of the following strings:

cmd (this string means the command has no modifier)

clear

no

show

connection_type

The connection type:

SIGNALLING UDP

SIGNALLING TCP

SUBSCRIBE UDP

SUBSCRIBE TCP

Via UDP

Route

RTP

RTCP

device

The memory storage device. For example, the floppy disk, Flash memory, TFTP, the failover standby unit, or the console terminal.

filename

A filename of the type PIX Firewall image, PDM file, or configuration.

privilege_level

The user privilege level.

reason

A text string describing the reason for the message.

string

Text string (for example, a username).

tcp_flags

Flags in the TCP header such as:

ACK

FIN

PSH

RST

SYN

URG

url

A URL.

user

A username.

Numbers

number

A number. The exact form depends on the log message.

bytes

The number of bytes.

code

A decimal number returned by the message to indicate the cause or source of the error, depending on the message.

connections

The number of connections.

elimit

Number of embryonic connections specified in the static or nat command.

econns

Number of embryonic connections.

nconns

Number of connections permitted for the static or xlate table.

time

Duration, in the format hh:mm:ss.

dec

Decimal number.

hex

Hexadecimal number.

octal

Octal number.

Addresses

IP_address

IP address in the form n.n.n.n, where n is an integer from 1 to 255.

MAC_address

The MAC address.

outside_address

Outside (or foreign) IP address, an address of a host typically on a lower security level interface in a network beyond the outside router.

inside_address

Inside (or local) IP address, an address on a higher security level interface.

global_address

Global IP address, an address on a lower security level interface.

source_address

The source address of a packet.

dest_address

The destination address of a packet.

real_address

The real IP address, before Network Address Translation (NAT).

mapped_address

The translated IP address.

gateway_address

The network gateway IP address.

netmask

The subnet mask.

Interfaces

interface_number

The interface number, 1 to n, where the number is determined by the order the interfaces load in the PIX Firewall. For example, see the sample show nameif command output:

show nameif
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif token0 outside security20
nameif ethernet2 inside security30

In this example, ethernet0 would appear in a syslog message as interface 0, ethernet1 would be interface 1, token0 would be interface 2, and ethernet2 would be interface 3.

interface_name

The name assigned to the interface. Use the show nameif command to view the interfaces and their names.

Ports, Services, and Protocols

port

The TCP or UDP port number.

outside_port

The outside port number.

inside_port

The inside port number.

source_port

The source port number.

dest_port

The destination port number.

real_port

The real port number, before NAT.

mapped_port

The translated port number.

global_port

The global port number.

protocol

The protocol of the packet, for example, ICMP, TCP, or UDP.

service

The service specified by the packet, for example, SNMP or Telnet.


Other Remote Management and Monitoring Tools

In addition to the system log function, you can remotely monitor the PIX Firewall using other tools, which are described in the following topics:

Cisco PIX Device Manager

Cisco Secure Policy Manager

SNMP Traps

Telnet

Cisco PIX Device Manager

The Cisco PIX Device Manager (PDM) is a browser-based configuration tool designed to help you set up, configure, and monitor your PIX Firewall graphically, without requiring an extensive knowledge of the PIX Firewall command-line interface (CLI). PDM ships with every PIX Firewall running software Version 6.0(1) and higher. Refer to the Cisco PIX Device Manager Installation Guide for more information.

Cisco Secure Policy Manager

Cisco Secure Policy Manager (CSPM) is a security policy management system that enables you to define, distribute, enforce, and audit network-wide security policies from a central location. CSPM streamlines the tasks of managing complicated network security events, such as perimeter access control, Network Address Translation (NAT), IDS, and IPSec-based VPNs. CSPM provides system-auditing functions, including monitoring, event notification, and web-based reporting.

CSPM can receive syslog messages from the PIX Firewall and provide notifications including email, paging, and scripting for designated syslogs. CSPM also provides reports of PIX Firewall syslogs, including the top ten users and top ten websites. These reports can be provided both on-demand and by schedule. Reports can be emailed or viewed remotely from an SSL-enabled web browser.

Refer to the following websites for more information:

http://www.cisco.com/go/policymanager

http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/index.htm

SNMP Traps

The PIX Firewall events can be reported using SNMP. This feature requires loading the Cisco SYSLOG MIB and the Cisco SMI MIB onto the SNMP management station.

Telnet

You can log in to the PIX Firewall console using Telnet from an internal host and monitor system status. If IPSec is enabled, you can also access the console from an external host. You can use the debug icmp trace and debug sqlnet commands from Telnet to view ICMP (ping) traces and SQL*Net accesses.

The Telnet console session also lets you use the logging monitor and terminal monitor commands to view syslog messages, as described in the "Sending Syslog Messages to a Telnet Console Session" section.